Forensic analysis of social networking applications on mobile devices

DIGITAL FORENSIC RESEARCH CONFERENCE

Social Networking Applications on Mobile Devices

By

Noora Al Mutawa, Ibrahim Baggili and Andrew Marrington

From the proceedings of

The Digital Forensic Research Conference

DFRWS 2012 USA

Washington, DC (Aug 6th - 8th)

DFRWS is dedicated to the sharing of knowledge and ideas about digital forensics

research. Ever since it organized the first open workshop devoted to digital forensics

in 2001, DFRWS continues to bring academics and practitioners together in an

informal environment.

As a non-profit, volunteer organization, DFRWS sponsors technical working groups,

annual conferences and challenges to help drive the direction of research and

development.

http:/dfrws.org

Forensic analysis of social networking applications on mobile devices

Noora Al Mutawa, Ibrahim Baggili, Andrew Marrington*

Advanced Cyber Forensics Research Laboratory, Zayed University, PO Box 19282, Dubai, United Arab Emirates

Keywords:Mobile device forensicsSocial networkingiPhoneAndroidBlackberry

a b s t r a c t

The increased use of social networking applications on smartphones makes these devicesa goldmine for forensic investigators. Potential evidence can be held on these devices andrecovered with the right tools and examination methods. This paper focuses on conductingforensic analyses on three widely used social networking applications on smartphones:Facebook, Twitter, and MySpace. The tests were conducted on three popular smartphones:BlackBerrys, iPhones, and Android phones. The tests consisted of installing the socialnetworking applications on each device, conducting common user activities through eachapplication, acquiring a forensically sound logical image of each device, and performingmanual forensic analysis on each acquired logical image. The forensic analyses were aimedat determining whether activities conducted through these applications were stored onthe device’s internal memory. If so, the extent, significance, and location of the data thatcould be found and retrieved from the logical image of each device were determined. Theresults show that no traces could be recovered from BlackBerry devices. However, iPhonesand Android phones store a significant amount of valuable data that could be recoveredand used by forensic investigators.

ª 2012 A. Marrington, N. Al Mutawa & I. Baggili. Published by Elsevier Ltd. All rightsreserved.

1. Introduction

The last several years have witnessed the rapid evolu-tion of a new form of online communication known associal networking. By joining websites that offer theseservices, users can interact and socialize, share informationand ideas, post comments and updates, participate inactivities and events, upload files and photos, and engage inreal-time instant messaging and conversations. Thesewebsites attract millions of people from all over the world.A study estimated that the number of unique users ofonline social networks worldwide was about 830 million atthe end of 2009 (International Telecommunications Union,2010).

Despite being primarily used to communicate andsocialize with friends, the diverse and anonymous nature ofsocial networkingwebsitesmakes themhighly vulnerable tocybercrimes. Phishers, fraudsters, child predators, and other

cyber criminals can register to these services with fakeidentities, hiding theirmalicious intentionsbehind innocent-appearing profiles. Social networks also encourage thepublication of personal data, such as age, gender, habits,whereabouts, and schedules. The wealth of personal infor-mation uploaded to these websites makes it possible forcyber criminals to manipulate this information to theiradvantage and use it to commit criminal acts. Other abusiveactivities that can be committed on these websites includeuploading illegal or inappropriate material, defaming, andstalking (de Paula, 2009). The large number of criminal actsthat can be performed through social networks raises theimportance of digital forensics in this area. Electronicevidence retrieved from social networking activities ona suspect’smachine canbeofgreat assistance in investigatinga criminal case by incriminating or proving the innocence ofa suspect.

Besides accessing social networking sites via desktopcomputers and laptops, subscribers can use their smart-phones to tap into these services. A survey conducted byRuder Finn (a PR agency) showed that “91% of smartphone

* Corresponding author. Tel.: þ971 4 402 1199; fax: þ971 4 402 1017.E-mail address: [email protected] (A. Marrington).

Contents lists available at SciVerse ScienceDirect

Digital Investigation

journal homepage: www.elsevier .com/locate /d i in

1742-2876/$ – see front matter ª 2012 A. Marrington, N. Al Mutawa & I. Baggili. Published by Elsevier Ltd. All rights reserved.doi:10.1016/j.diin.2012.05.007

Digital Investigation 9 (2012) S24–S33

users go online to socialize compared to only 79% oftraditional desktop users”. It also showed that 43% ofsmartphone users use them to communicate with peopleon social networking sites (Finn, 2012). Approximately halfof Facebook’s users access Facebook through a mobiledevice, such as a smartphone or tablet. According to Face-book, these users are twice as active as users who do notaccess Facebook through a mobile device (Facebook, 2011).Given that millions of users access social networks throughsmartphones and that smartphones provide 24/7 access tothese services, there is a high risk of the abuse of theseservices by users with malicious intentions. Therefore,when a forensic examination is performed on a suspect’ssmartphone, there might be a chance of finding evidencethat supports criminal prosecution.

Forensic examination of smartphones is challenging.Smartphones are always active and are constantly updatingdata, which can cause faster loss of evidentiary data.Second, the operating systems (OS) of smartphones aregenerally closed source, with the notable exception ofLinux-based smartphones, which makes creating customtools to retrieve evidence a difficult task for forensicexaminers. In addition, smartphone vendors tend to releaseOS updates very often, making it hard for forensic exam-iners to keep up with the examination methods and toolsrequired to forensically examine each release. The varietyof proprietary hardware of smartphones is another issuefaced by forensic examiners (Al Zarouni, 2006).

This paper focuses on conducting forensic analyses onthree widely used social networking applications onsmartphones: Facebook, Twitter, and MySpace. The testswere conducted on three popular smartphones: BlackBerryTorch 9800, iPhone 4, and the Android-based SamsungGalaxy S, and consisted of installing the social networkingapplications on each device, conducting common useractivities through each application, acquiring a forensi-cally-sound logical image of each device, and performinga manual forensic analysis on each acquired image. Thepurpose of our analysis was to determinewhether activitiesconducted through these applications were stored on thedevice’s internal memory. If so, the amount, significance,and locations of data that could be found and retrievedfrom the logical image of each device were determined.

2. Related work

2.1. Mobile device forensics

Initial work in this field has focused on acquisitiontechniques and general forensic analyses of smart devices.In his paper, Burnette discussed the forensic examination ofolder versions of the BlackBerry and covered the hardwareand software used for acquisition (Burnette, 2002). He alsodescribed several methods of examination, including theuse of hex editors and emulators. Later research providedfoundational concepts on forensic analyses of the newgenerations of smartphones (e.g., BlackBerry and iPhone). Itoutlined the technologies used, the handling procedures,and the common evidence storage locations for eachdevice. The data that could be extracted from the internalmemory of these devices included call logs, SMS, MMS,

emails, webpage bookmarks, photos, videos, and calendarnotes (Punja and Mislan, 2008).

Recent scientific research has focused on individualtypes of smartphones, investigating themethods that couldbe used to acquire and analyze the internal memory of thedevice and the data that could be extracted from eachdevice. iPhone data could be acquired by either a physicalor a logical method. The physical method requires jail-breaking the system, which causes a slight modification tothe system’s data (Kubasiak et al., 2009). However, thelatest technique developed by Zdziarski acquires a phys-ical-logical image of an iPhone without jailbreaking thephone (Zdziarski, 2010). It is considered the best forensicmethod for acquiring iPhone and has been evaluated by theNational Institute of Standard and Technology (NIST)(National Institute of Standards and Technology, 2010).Similar to iPhones, Android-based smartphones can also beacquired using either a physical or a logical method. Thephysical technique consists of obtaining a dd image of thephone’s memory and requires root access to the device(Lessard and Kessler, 2010). Vidas et al. discuss an acquisi-tion methodology based on overwriting the “Recovery”partition on the Android device’s SD card with specializedforensic acquisition software (Vidas et al., 2011).

2.2. Social networking forensic artifacts

Scientific research has also included the investigation ofartifacts left by social networking sites on computersystems and tools that assist in the extraction of theseartifacts. Zellers has examined the unique data tags createdin different MySpace source-code pages and used thesetags to create focused artifact keyword searches (Zellers,2008). Other research discussed the process of recoveringand reconstructing Facebook chat artifacts froma computer’s hard disk (Al Mutawa et al., 2011).

Because many social networking applications are inte-grated into new smartphones, in cases involving socialnetworks, forensic examiners may be able to find relevantevidence on a suspect’s smartphone. A forensic examinationof the iPhone 3GS (via a logical acquisition) showed thata database related to the Facebook application is storedon thephone’s memory. The database stores data for each friend inthe list, including their names, ID numbers, and phonenumber (Bader and Baggili, 2010). Two other directoriesrelated to the Twitter application were also found. Thesedirectories store information about Twitter account data,attachments sent with tweets, user names, and tweets withdate and time values (Morrissey, 2010). A forensic examina-tion of an Android phone’s logical image showed that basicFacebook friend information is stored in the contactsdatabase(contacts.db) as the device “synchronizes contact’s Facebookstatus updates with the phone book” (Lessard and Kessler,2010). It also showed that the device stores Twitter pass-words and Twitter updates performed through the Twitterapplication in plain text (Lessard and Kessler, 2010). Forensicresearch papers on BlackBerry phones and Windows smart-phones, however, did not mention finding or recovering anydata related to the use of social networking applications.

Similar to computers, smartphones store data that canhelp determine how the device has been used or misused.

N. Al Mutawa et al. / Digital Investigation 9 (2012) S24–S33 S25

Therefore, activities performed through social networksapplications may be stored on smartphones. However,previous research has been limited to the recovery of verybasic information related to the use of social networkingapplications. It is clear that further experiments focusing onthe recovery of artifacts related to the use of socialnetworking applications are required to determinewhether activities performed through these applicationsare stored and can be recovered from smartphones.

3. Methodology

The main purpose of this research is to determinewhether activities performed through smartphone socialnetworking applications are stored on the internal memoryof these devices and whether these data can be recovered.These data can be of high evidentiary value, which canassist in the investigation of criminal, civil, or other types ofcases. The goal of this study was achieved by conductingexperiments on a number of smartphones. Manual forensicexaminations and analyses were performed on threecommonly used social networking applications on smart-phones: Facebook, Twitter, and MySpace. The experimentswere conducted on three popular smartphones: Black-Berrys, iPhones, and Android phones.

In a real investigation, law enforcement agencies mayhave access to data from the social networking providers.Depending on the nature of the investigation, jurisdictionalissues and the degree to which the social networkingprovider is co-operative with law enforcement, theprovider may prove to be a more convenient source ofdigital evidence about social networking use than thesmartphone. However, investigation the smartphone hastwo-fold value. It is often useful to corroborate evidencefrom different sources, such as from the provider and thenfrom the smartphone. Moreover, especially in an era ofubiquitous mobile Internet connections, many traditionaltelephony services (such as text messaging) are providedvia social networking sites through their smartphone apps.It may be crucial to the reconstruction of a crime to knowwhether particular social networking activities (alreadyreflected in data from the service provider) took place ona particular smartphone.

The experiments were conducted using forensicallysound approaches and under forensically acceptableconditions to fulfill a crucial rule in digital forensics, whichis to preserve the integrity of the original data and toprevent it from any contamination that would interferewith its acceptance in court. The test and examinationprocedure was derived from the Computer Forensics ToolTesting program guidelines established by the NationalInstitute of Standards and Technology (NIST) to ensure thequality of the testing methods and the reliability and val-idity of the results (National Institute of Standards andTechnology, 2001).

The research aimed toworkwith realistic data similar tothat found in an actual investigation. In a real investigation,suspects may use different social networking applicationson smartphones and conduct different activities througheach of them. They may also use jailbroken iPhones or

rooted Android devices. The experiments were designedaccordingly.

3.1. Test environment and requirements

Prior to conducting the experiments, a forensic work-station was set up and configured. Once the forensicworkstation was ready, it was isolated from the lab’snetwork. The following is a list of the hardware and soft-ware used to conduct the experiment:

" Two Blackberry Torch 9800 phones (software version:6.0 Bundle 862).

" Two iPhone 4 devices, 32GB (version 4.3.3 8J2)." One Android phone (Samsung GT-i9000 Galaxy S –

Firmware version 2.3.3)." Facebook, Twitter, and MySpace applications for each

tested phones." BlackBerry Desktop Software (version 6.1.0 B34)." Apple iTunes Application (version 10.4.0.80)." TextPad (version 4.5.2)." Plist Editor for Windows (version 1.0.1)." SQLite Database Browser (version 1.3)." DCode (version 4.02a)." EnCase (version 6.5)." A software USB write-blocker (Thumbscrew)." USB data cables." A Micro SD card." A Micro SD card reader." Odin3 (version 1.3), a tool to upload a root-kit to the

Android device." MyBackup Rerware, LLC (version 2.7.7).

The configurations of the smartphones were not altered.Temporary storage cache sizes, for instance, were notmodified from factory defaults. Changing the default cachesize would likely affect the volume of recoverable digitalevidence found on the smartphone.

3.2. Test procedure

The test procedure consisted of three stages: scenarios,logical acquisition, and analysis. The following sectionsdescribe each stage in details.

3.2.1. ScenariosThis stage involved conducting common user activities

on social networking applications on the smartphones. TheFacebook, Twitter, andMySpace applications were installedon each device if they were not already integrated with thedevice. These applications were chosen simply because oftheir availability as stand-alone applications for each plat-form. For the purpose of the experiments, fictionalaccounts with fictional users were created on each socialnetworking website and were logged into and usedthrough the smartphones’ applications. For each device,a predefined set of activities were conducted using eachapplication. The activities were chosen to representcommon activities, such as uploading photos, posting

N. Al Mutawa et al. / Digital Investigation 9 (2012) S24–S33S26

comments, sending emails within the application, andchatting.

3.2.2. Logical acquisitionThe second stage involved acquiring a logical image of

the internal memory of each device. The acquisitions wereperformed in a controlled environment using forensicallysound techniques to ensure the integrity of the acquireddata and its potential admissibility in court. As is always thecasewith all logical acquisitions, there is the possibility thatdata remnants of inactive files may be missed in the courseof such an acquisition. In computer forensics for example,a logical acquisition may miss data stored in slack space.The same issue exists with all logical acquisition techniquesfor smartphones.

As the tested phones had three different operatingsystems, specific tools and configurations were required tomanually acquire a logical image of each device. Detailedmethods of acquisition are presented later in the paper.

3.2.3. AnalysisThe third stage involved performing forensic examina-

tions to the acquired logical image of each device, todetermine whether the activities conducted through theseapplications were stored on the device’s internal memory.If so, the amount, location, and significance of the data thatcould be found and retrieved from the logical image of eachdevice were determined. The examinations were con-ducted manually using a number of tools to view theacquired images, determine the unique headers or signa-tures in each structure, search for data related to the socialnetworking applications, and determine how these datawere stored on each device.

4. Implementation and analysis

The first stage of the experiment involved installing thesocial networking applications and conducting the pre-defined activities on each device. This stage was straight-forward and general for all of the tested devices. For thetwo BlackBerry Torch phones, the Facebook, Twitter, andMySpace applications were already preinstalled by themanufacturer. For the two iPhones, Facebook (version3.4.4), Twitter (version 3.3.5), and MySpace (version 2.0.7)were downloaded from the App Store and installed on thedevices. For the Android phone, Facebook (version 1.6.3),Twitter (version 2.1.2), and MySpaceDroid (version 1.0.7)were downloaded from the Android Market and installedon the devices. All of the tested applications were createdby the official social networking companies except forMySpaceDroid (the official MySpace application could notbe installed on the tested Android phone).

Once the applications were installed on the devices, thepredefined activities were conducted on each device. Theactivities represented common user activities and activitiesthat would of interest to the forensic examiner. These activ-ities included uploading photos, posting comments, sendingemails, andchatting. Table1 represents all activities thathavebeen performed on each application of each tested device.

Similar activities were conducted on each tested phone;however, unique data were used on each application for

each phone to reduce redundant data and simplify theanalysis phase. After conducting the social networkingactivities on the tested phones, a logical image of theinternal memory of each device was acquired and analyzedfor evidence of the conducted activities. Table 2 shows a listof keywords used to search for traces of each socialnetworking application’s usage. The following sectionsdescribe the procedures used for the acquisition andanalysis of each tested smartphone.

4.1. BlackBerry forensic examination

This section describes the process of the logical acqui-sition and forensic analysis of the two tested BlackBerryphones. The processes for both phones were identical, andthe analysis results were similar.

Table 1Activities performed on each application of each tested device.

Application Performed activities Comments

Facebook Login with user name:[email protected] password: mushroom77

–

Post in news feed –

Upload photos þ captions –

Send email messages –

Post on friend’s wall –

Instant messaging (chat) –

View profiles of friends –

Twitter Login with user name:[email protected] password: mushroom246

–

Follow people –

Post tweets –

Upload photos –

MySpace Login with user name:[email protected] password: mushroom888

–

Upload pictures Did not functionfor Android

Add friends –

Change status –

Check emails –

Send emails –

Post comments –

View profiles –

Instant messaging (chat) Did not functionfor Android

Table 2Keywords for searching for social networking activity.

Application Keywords

All [email protected] mushroom888, infected mushroom,

gloomy, hello myspaceTwitter mushroom246, ForensicFocus, Jzdiarski,

jonathan zdziarski, Sctan, Mushrooom2011,“Amazing how time runs fast!!”, “so hot and humid!!”

Facebook mushroom77, “craving for shake shack!!”,“hello cheza”, “lets go to the mall”, “hellooooo”,“hey im here”, “what time shall we go?”, “9pm?”,“ok see u later”, Infected, Cheza,


4.1.1. Logical acquisitionThe logical acquisition of the BlackBerry phones was

performed using BlackBerry Desktop Software (BDS). BDS isa management application that is freely available on theBlackBerry official website. It is designed to synchronizedata, applications, and media files between the BlackBerrydevice and the host computer. It is also used to createbackup copies of data from the BlackBerry phone and savethem on the host computer. BDS is not designed for forensicacquisition. However, there are several advantages of usingit to acquire a logical copy of a BlackBerry device. First, it isproduced by the same company which produces thedevice; thus, more data may be obtained using BDS thanwith some forensic tools produced by companies withlesser familiarity with BlackBerry. Finally, backup filesacquired through BDS can be inspected using a BlackBerryemulator.

A rule of thumb in the field of digital forensics is not toalter the original data acquired from the subject’s device. Bydefault, BDS is set to synchronize the phone’s date and timewith those of the host computer. If this option is notdeactivated, it can strongly affect the validity of evidence ina criminal investigation by changing the original dates andtimes of the subject phones, contaminating the evidence.Therefore, this option must be explicitly disabled beforeattempting to attach and backup the subject’s phone.

After configuring BDS to not synchronize the BlackBerryphone with the host computer, a logical bit-by-bit image ofthe test device was created using the “Backup” option fromthe Device menu. The logical image was created manuallyby performing a full backup of the device. Once the backupprocess was completed, the device was disconnected fromthe forensic workstation.

4.1.2. Examination and analysisAcquiring a logical image of the BlackBerry phones

resulted in the creation of a single proprietary IPD file foreach phone. The files were storedwithin the default backupdirectory and by default had the naming style “BlackBerrymodel (current date).ipd” (e.g., BlackBerry Torch 9800 (July30, 2011).ipd). Viewing the IPD file using a text editorshowed that it had a unique header that starts with “Inter@ctive Pager Backup/Restore File”. The file contained data-bases of user data and configurations. Examining thecontents of the files revealed that they contained user data,such as contacts, SMS messages, MMS messages, and calllogs. However, no traces of the social networking activitiesperformed during the test were found.

4.2. iPhone forensic examination

This section describes the process of the logical acqui-sition and forensic analysis of the two iPhones. The acqui-sition processes for both phones were identical, and theanalysis results were similar.

4.2.1. Logical acquisitionThe logical acquisitions of the iPhone 4G devices were

performed using the Apple iTunes application (version10.4.0.80). Similar to BDS, iTunes is a synchronization andmanagement application and is freely available on the

Apple official website. It is designed to synchronize data,applications, and media files between Apple devices (e.g.,iPhone, iPad, and iPod) and the host computer. It is alsoused to create backup copies of data from the Apple deviceand save them on the host computer. iTunes is not designedfor forensic acquisition. However, it is an option thatforensic practitioners can use to obtain a logical image(backup file) of an Apple device. Backup files may also existon the suspect’s computer if the suspect had previouslyperformed a sync operation or a software update orrestored their device to its factory settings.

It is critical for a forensic examiner to ensure theintegrity of the acquired evidence. Therefore, the iPhonelogical acquisitions were conducted in a forensically soundenvironment. Before attaching each iPhone to the forensicworkstation, it was critical to disable automatic synchro-nization option from the iTunes application. By default,iTunes automatically syncs the device to the host computeronce the device is connected.

Disabling automatic synchronization preserves theintegrity of the iPhone’s data, as it prevents the user’s datafrom being exchanged between the iPhone and the hostcomputer. Once iTunes was configured, the iPhone wasattached to the forensic workstation through a USB datacable. After beingdetectedby the iTunes application, a logicalacquisition was manually initiated by right-clicking on thedevicenameand selecting “backup”. iTunes created a backupcopy of the iPhone, and by default, it placed the backup filesin the following directory: C:\Users\[user]\AppData\R-oaming\Apple Computer\MobileSync\Backup\[unique identi-fier]. Once thebackupprocesswascompleted, the iPhonewasdisconnected from the forensic workstation.

4.2.2. Examination and analysisAcquiring a logical image of the iPhones using iTunes

resulted in the creation of a folder with a unique alpha-numeric name (hash value) for each iPhone, which con-tained the backed-up logical file. Both folders includedthree plist files, one mbdb file, onembdx file, and a numberof backup files with no apparent extensions. Each of thebackup files was distinguished by a unique alphanumericidentifier of 40 characters.

Viewing and examining the backup files in a text editorshowed that these files are in binary format or plain text thatmay contain encapsulated images, SQLite database files, orother plist files. To examine the contents of each file, theyhad to be decoded and viewed using the appropriate tools.Each file type was determined by the header containedwithin the file. Files starting with the header “bplist00”contained binary plist data, and files starting with theheader “SQLite format 3” contained SQLite databases. Anumber of tools were used to manually examine thecontents of the backup files according to their type. PlistEditor forWindows (version 1.0.1)was used to help read andexamine backup files that contained plist data, and SQLiteDatabase Browser (version 1.3) was used to help read andexamine backup files that contained SQLite databases.

Manual examination of the backup files showed thatthey contained a vast amount of user data, including sentand received SMS, calendar events, call history, and addressbook entries. However, the main focus of this research was


to determine whether footprints of social networkingapplications were stored within these backup files. TheCommand-line utility was used tomanually search the fileswithin the backup directory for keywords that relate to thesocial networking activities conducted during the experi-ment. Files containing the keywords were then decodedusing the appropriate tools (e.g., Plist Editor and SQLiteDatabase Browser), and their contents were thoroughlyexamined for traces of the activities that were conductedearlier in the experiment.

4.2.2.1. Facebook artifacts. Examination and analysis of thebackupfiles revealed a number of SQLite andplistfiles relatedto the tested social networking applications. Many files con-tained the strings “Facebook”, “Twitter”, and “MySpace”;however, only a few contained data of interest to the forensicexaminer. Three files contained data related to the iPhoneFacebookapplication. Thefirst twofileswereSQLitedatabaseswith the hashed names 6639cb6a02f32e0203851f25465ffb89ca8ae3fa and 9f2140d8e87b45a9bb5dfc813fd2299-c02851e6b. Viewing the first file using the SQLite DatabaseBrowser showed that it contained a table that stored Facebookfriend data. The table stored the friends’ profile IDs, first andlast names, URLs pointing to their profile pictures on Face-book, phone numbers, and email addresses.

The second file contained traces of the user’s previousactivities of uploading photos and posting commentsthrough the Facebook application. It stored data such as theuser’s name, profile ID, the nature of the activity performed(e.g., uploading photos), and timestamps of the performedactivities. The timestamps were stored in UNIX numericvalues. Comparing the decoded date and times to the dateand times of the activities performed on the actual Face-book webpage showed that the pictures were uploadedand the comments were posted within the same period oftime. Fig. 1 shows the actual activities as they were pre-sented on the Facebook website. Fig. 2 shows the traces ofactivities stored in the SQLite database.

The third file that contained data related to the iPhoneFacebook application was a plist file with the hashed name384eb9e62ba50d7f3a21d9224123db62879ef423. The filestored details about the user, including the last emailaddress used to log into the Facebook account, the uniqueidentifier (ID) that identified the user’s profile and username, and a URL address pointing to the user’s profilepicture on Facebook.

Further examination of the plist file 384eb9e62-ba50d7f3a21d9224123db62879ef423 yielded more inter-esting results. In addition to the details of the last logged-inuser, the plist file contained other information that could besignificant to the forensic examiner. It stored a record of allusers that have previously logged into their Facebookaccounts using the Facebook application. This informationincluded user names, profile IDs, andURL addresses pointingto their profile pictures on Facebook. Furthermore, the plistfile stored the details of the friends who had an active chatsessionwith the Facebook user. The details included the usernames of the friends, their profile ID, URL addresses pointingto their profile pictures on Facebook, and a timestamp ofwhen the chat session was initiated.

4.2.2.2. Twitter artifacts. The iPhone Twitter application hadtwo plist files that contained data that may be of significanceto the forensic examiner: eb8899d553cf563080453-f9a366600de1dcf6286 and f77282c60c3cee3ffce4a8bba2760fd954d4921f. The first file held the Twitter application’s userinformation including the user name, URL link pointing to theuser’s profile picture, tweets posted by the user, and thetimestamps of posted tweets. The second file contained theuser’s details plus some other information. It held records ofpeople followed by the user, their user names, detailedinformation taken from their profile pages,URL linkspointingto their profile pictures, tweets posted by them, and thetimestamps of their posted tweets. Fig. 3 show the details ofa tweet posted by the user of the iPhone Twitter applicationrecovered from the first iPhone file, and the correspondingtweet extracted from the Twitter website.

4.2.2.3. MySpace artifacts. The iPhone MySpace applicationhad two files that contained data that may be of significanceto the forensic examiner: a SQLite file 48598f280bb577d1e68aaddadccba35c54acbb48 and a plist file e5cb579c7bdf12b996bd865ecf6290ab94374abd. The SQLite file contained the usernameof the iPhoneMySpace application, plus comments thatthe user had posted in the streamwith timestamps encodedin absolute value. Table 3 shows a record of one of the postedcomments and its timestamp.

4.2.2.4. Dynamic directory. Another file that held data ofinterest to this study was 0b68edc697a550c9b977b77cd012fa9a0557dfcb. Examining the contents of the file ina text editor showed that it started with the header(DynamicDictionary-4) and stored snippets of text that hadbeen typed using the iPhone’s keyboard. Performing sometests regarding the contents of this file showed that it storesuser keyboard inputs to applications on the iPhone;including social networking applications. Parts of thecomments, emails, and chat messages that have been usedthrough the experiment; and were not stored elsewhere onthe backup files, were found in this file.

4.3. Android forensic examination

This section describes the process of the logical acqui-sition and forensic analysis of the Android phone (SamsungGT-i9000 Galaxy S – Firmware version 2.3.3). Unlike othersmartphones, unless the Android phone was rooted, manydata files could not be accessed or backed up by backupprograms. Therefore, the tested Android phone was firstrooted using Odin3 (version 1.3) to upload the root-kit (CFRoot XW).

Installing a root-kit allows the user to gain privilegecontrol over the Android OS (root access), allowing him tobypass some limitations that the manufacturers put on thedevice. Having a rooted Android phone also allows the userto access protected directories on the system that hold userdata (e.g., /data/data directory) and backup all of the files inthese directories. These data files can hold a significantamount of data that may support an ongoing investigation.The process is not uncontroversial in the forensics litera-ture (see for example, the discussion in Vidas et al. (2011)),


and ideally, a thorough method of logical acquisitionwhichdoes not require rooting or other modification of the soft-ware running on the Android device will be identified infuture research.

4.3.1. Logical acquisitionUnlike Blackberrys and iPhones, Android phones do not

have a unified management and backup solution. Variouscompanies have released different backup tools which givethe user the option of backing up the device on either thephone’s SD Card or the company’s server. One such appli-cations is MyBackup.

To acquire a logical backup of the Android phone,MyBackup (v2.7.7)was installed on the testAndroid phone. Anew Micro SD external card was placed into the test phone.The Micro SD card was selected as the location to store thebackup files. All three tested social networking applicationswere selected, and the associateddatafileswerebackeduptothe external Micro SD card. Once the backup process wascompleted, theMicro SDexternal cardwas removed from thetest phone and attached to the forensic workstation toexamine the backup files and perform the forensic analysis.

4.3.2. Examination and analysisAcquiring a logical backup of the data files associated

with the Facebook, Twitter, and MySpace applications onthe Android phone using MyBackup resulted in the

creation of a backup directory on the external Micro SDcard. The Directory had the default path \rerware\MyBack-up\AllAppsBackups\[AppsMedia_yyyy_mm_dd]\Apps. Thedirectory contained three archive (ZIP) files, one for eachtested app:

" com.facebook.katana_4130.zip" com.kozmo.kspace_4.zip" com.twitter.android_134.zip

4.3.2.1. Facebook artifacts. The three backed up files werecopied to the forensic workstation, where each wasextracted and thoroughly examined for traces of the socialnetworking activities performed during the tests. The firstfile com.facebook.katana_4130.zip was associated with theFacebook application. It contained three subdirectories:databases, files, and lib, which contained a number of files.The two directories that held relevant data for this studywere databases and files.

The databases folder held three SQLite files: fb.db,webview.db, and webviewCache.db. Viewing each filethrough the SQLite Database Browser and examining itscontent yielded interesting results. The first file fb.db con-tained tables that held records of activities performed bythe Android Facebook application user, including createdalbums, chat messages, list of friends, friend data, mailbox

Fig. 1. The actual photos and comments as presented on the Facebook website.


Fig.

2.Traces

ofup

load

ingph

otos

andpo

stingco

mmen

tsus

ingtheiPho

neFacebo

okap

plication.


messages, and uploaded photos. The records includedsignificant information for the forensic investigator, such asthe users’ IDs, contents of exchangedmessages, URL links ofuploaded pictures, and timestamps of performed activities.

The files folder contained a number of files with namesthat consisted of seemingly random letters and numbersand that did not have any extensions. Viewing the files ina text editor and examining their headers showed the (JFIF)marker segment, indicating that these files were (JPEG)image files. Using Windows Photo Viewer to open the filesshowed the actual image containedwithin each file. Imagescontained within these files were either pictures that theuser had viewed from within the Android Facebook appli-cation or pictures that he uploaded from within theapplication. Files of uploaded pictures had their namespreceded with the word “upload”.

4.3.2.2. Twitter artifacts. The second archive file com.twit-ter.android_134.zipwas associatedwith the Android Twitterapplication. It contained a folder called databases, whichcontained three SQLite files. One of the files, 342525691.db,stored interesting data. It contained tables that storedrecords of posted tweets, photos, friends, users, and otherdata associated with activities performed through theAndroid Twitter application. Besides storing the author IDs,timestamps, and contents of the posted tweets, the recordsalso stored data about the source of the posted tweets, e.g.,posting through the website, an iPhone application, or anAndroid phone application.

4.3.2.3. MySpace artifacts. The third archive file, com.koz-mo.kspace_4.zip, was associated with the Android MySpaceapplication. It contained a folder called databases, whichcontained three SQLite files. As mentioned earlier, thetested MySpace application was not the official applicationcreated by the MySpace company but a web-based appli-cation created by another group. Examining the threeSQLite files showed that they stored cookies and cache filesassociated with navigating the MySpace website. It alsoshowed that the file webview.db stored the user name andthe password of the MySpace application in plain text.

4.4. Results summary

Table 4 summarizes the results of our analysis for eachapplication on each device examined.

Fig.

3.Th

ereco

rdof

a“twee

t”from

theiPho

nefile,a

ndtheco

rrespo

ndingtw

eeton

theTw

itterweb

site.

Table 3Record of a posted comment in MySpace.

ZTIMESTAMP ZMESSAGE Decoded timestamp

338556819.798738 The weatheris getting better

Saturday, 24 September2011 15:33:40 þ0400

The plist file contained the user name and password in clear text.For example:

<dict><key>password</key><string>mushroom888</string><key>user name</key><string>[email protected]</string></dict>


5. Future work

There are several major items of future work leadingdirectly from this study. First, more experimental cases arerequired to examine a greater variety of smartphones andsocial networking applications alike. Second, differentsmartphones employ a variety of techniques to “lock” thedevice’s interface and encrypt the data stored on the phonewhile the device is locked, and these privacy measures alsoserve as anti-forensics techniques to be overcome. Researchinto this issue would likely require different techniques foreach smartphone platform.

6. Conclusions

Few studies have addressed the forensic analysis andrecovery of activities performed through social networkingapplications on smartphones. These studies have also beenlimited to the recovery of very basic information related tothe use of social networking applications. This studyfocused on the recovery of artifacts and traces related to theuse of social networking applications on a variety ofsmartphones using different operating systems. It aimed todetermine whether activities performed through theseapplications are stored and can be recovered from theinternal memory of these smartphones. The tested socialnetworking applications were Facebook, Twitter, andMySpace, which were used on BlackBerry, iPhone, andAndroid.

The study explored the forensic acquisition, analysis andexamination of the logical backup copies of the threesmartphones. The tests consisted of installing the socialnetworking applications on each device, conductingcommon user activities through each application, acquiringa forensically sound logical image of each device, and per-forming manual forensic analysis on each acquired logicalimage. The forensic analysis determined the amount,significance, and location of social networking data thatcould be found and retrieved from the logical image of eachdevice.

The results showed that no traces of social networkingactivities could be recovered from BlackBerry devices.However, iPhones and Android phones stored a significantamount of valuable data that could be recovered and used bythe forensic investigator. The paper documented the natureof the social networking data that could be recovered fromeach device and their locations fromwithin the backup files.We hope that the paper can inspire the creation of digitalforensics tools to extract and reconstruct social networkingdata from a variety of modern smartphones.

References

Al Mutawa N, Al Awadhi I, Baggili I, Marrington A. Forensic artifacts ofFacebook’s instant messaging service. In: Proceedings of the 2011International Conference for Internet Technology and SecuredTransactions (ICITST); 2011. p. 771–6. Abu Dhabi, UAE.

Al Zarouni M. Mobile handset forensic evidence: a challenge for lawenforcement. In: Proceedings of the 4th Australian Digital ForensicsConference; 2006. Perth, Australia.

Bader M, Baggili I. iPhone 3GS forensics: logical analysis using appleitunes backup utility. Small Scale Digital Device Forensics JournalSeptember 2010;4(1).

Burnette MW. Forensic examination of a RIM (BlackBerry) wirelessdevice. Retrieved on 18 February 2012 from: http://www.mandarino70.it/Documents/Blackberry%20Forensics.pdf; 2002.

de Paula AMG. Security aspects and future trends of social networks. In:Proceedings of the Fourth International Conference of ForensicComputer Science; 2009. p. 66–77. Natal City, Brazil.

Facebook. Statistics. Retrieved on 26 May 2011 from: http://www.facebook.com/press/info.php?statistics; 2011.

Finn Ruder. New study shows ‘intent’ behind mobile Internet use.Retrieved on 18 February 2012 from: http://www.prnewswire.com/news-releases/new-study-shows-intent-behind-mobile-internet-use-84016487.html; 2012.

International Telecommunications Union. The rise of social networking.Retrieved on 18 February 2012 from: http://www.itu.int/net/itunews/issues/2010/06/35.aspx; 2010.

Kubasiak R, Morrissey S, Varsalone J. Macintosh OS X, iPod, and iPhoneforensic analysis DVD toolkit. Burlington, MA: Syngress; 2009.

Lessard J, Kessler GC. Android forensics: simplifying cell phone exami-nations. Small Scale Digital Device Forensics Journal September 2010;4(1).

Morrissey S. iOS forensic analysis for iPhone, iPad, and iPod touch. NewYork: Apress; 2010.

National Institute of Standards and Technology. General test methodologyfor computer forensic tools. Retrieved on 18 February 2012 from:http://www.cftt.nist.gov/documents.htm; 2001.

National Institute of Standards and Technology. Test results for mobiledevice acquisition tool. Zdziarski’s Method; 2010.

Punja SG, Mislan RP. Mobile device analysis. Small Scale Digital DeviceForensics Journal June 2008;2(1).

Vidas T, Zhang C, Maloof M. Toward a general collection methodology forAndroid devices. In: Proceedings of the Eleventh Annual DFRWSConference, vol. 8S; 2011. p. S14–23. New Orleans, USA, published inDigital Investigation.

Zdziarski J. iPhone forensics: recovering evidence, personal data, andcorporate assets. Sebastopol, CA: O’Reilly; 2010.

Zellers F. MySpace.com forensic artifacts keyword searches. Retrieved on18 February 2012 from: http://www.inlanddirect.com/CEIC-2008.pdf;2008.

Table 4The significant social networking data that could be recovered from thelogical image of each smartphone.

Smartphone Application Description

BlackBerry Facebook Not foundBlackBerry Twitter Not foundBlackBerry MySpace Not foundiPhone Facebook User and friend data incl.

contact details and profilepicture URLsPhoto uploadsComments postedTimestampsAll previously logged in usersFriends with active chat sessions

iPhone Twitter For user and people followed:User namesProfile picture URLsTweets postedTimestamps

iPhone MySpace User name/PasswordPosted commentsTimestamps

Android Facebook User and friend data incl.contact details and profilePhoto uploadsCreated albumsPictures viewed with appMailbox/Chat messages

Android Twitter For user and people followed:User namesPosted tweets and photosOther activity information(e.g., device used to tweet)

Android MySpace User name/PasswordCookies & cache files
